709b07ef6d3a105e4f17eb92f6978c9b8597c8297f6391303670e2adaed90592

Analysis

max time kernel
3s
max time network
5s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2023 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

purchase order.exe
Size

504KB
MD5

76ef6dcc228516addb85969c619845f8
SHA1

ec42d448daf3645b980588f03e4a1d50a068e302
SHA256

709b07ef6d3a105e4f17eb92f6978c9b8597c8297f6391303670e2adaed90592
SHA512

4b37f2b3b5977a9d55021c02654095d79125838df1759684a93d08732777fe411841395179198a7c121b1f3ffd59d7c7d31b2ed9387d4e0765265c09716d1f0e
SSDEEP

12288:/YuffiNQGwOEphdUyTd7RqcNEb2SqH4y8jw:/YuffiQGwOERlucuqbv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4328	nbagek.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4328 set thread context of 4744	4328	nbagek.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4328	nbagek.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 4328	1192	purchase order.exe	86
PID 1192 wrote to memory of 4328	1192	purchase order.exe	86
PID 1192 wrote to memory of 4328	1192	purchase order.exe	86
PID 4328 wrote to memory of 4744	4328	nbagek.exe	87
PID 4328 wrote to memory of 4744	4328	nbagek.exe	87
PID 4328 wrote to memory of 4744	4328	nbagek.exe	87
PID 4328 wrote to memory of 4744	4328	nbagek.exe	87

C:\Users\Admin\AppData\Local\Temp\purchase order.exe
"C:\Users\Admin\AppData\Local\Temp\purchase order.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\nbagek.exe
  "C:\Users\Admin\AppData\Local\Temp\nbagek.exe" C:\Users\Admin\AppData\Local\Temp\usjvx.r
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Users\Admin\AppData\Local\Temp\nbagek.exe
    "C:\Users\Admin\AppData\Local\Temp\nbagek.exe"
    3⤵
    PID:4744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\geytosefgdo.zh

Filesize
460KB

MD5
9d5bd78f657d9ccef877c3beef82759c

SHA1
539ae458cd7a065d0284223f665a6e8f0ee578a0

SHA256
6de95df699cfe0c0b66493b584345c1c3f469dc9394c3d0405bba8eafdd21ba8

SHA512
7edebc7d46b64253704c95cbce13e1debba75625f17ff370526c8ae78cba000e2badf346cae00d9acbccb4fb1b50974ef10498f995d8f3319f95947eb182ab03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbagek.exe

Filesize
58KB

MD5
7b2dababe7304999f68211fdaa1148ce

SHA1
3a053a885695db89f28c797ac3c8f69c39246385

SHA256
2885c4d23594a128e1b7fe02b2ea18adf29a5f2ac5db0b304c35285cd14dad31

SHA512
366f118fe9bb594d5f2c38309aa58babd0be6da675a764c5f939e7ae6889cad64873c550d79c3f2fdb17dbe97e609b2a24bb7207f7bb78434edefd83f30fe1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbagek.exe

Filesize
58KB

MD5
7b2dababe7304999f68211fdaa1148ce

SHA1
3a053a885695db89f28c797ac3c8f69c39246385

SHA256
2885c4d23594a128e1b7fe02b2ea18adf29a5f2ac5db0b304c35285cd14dad31

SHA512
366f118fe9bb594d5f2c38309aa58babd0be6da675a764c5f939e7ae6889cad64873c550d79c3f2fdb17dbe97e609b2a24bb7207f7bb78434edefd83f30fe1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\usjvx.r

Filesize
5KB

MD5
6bc43682a311227742e5a6dfff67160b

SHA1
36054c3b086af268f3f1274eb66b167fe66712d3

SHA256
882d92f276cfc9c196fe2bf27dd3fbb24b0e5b473791d2d4ac716ec0da17cac8

SHA512
f3b153d2c73662dddf5d8c1bfd342409edfbac6931c6d867928aedef61d7c3ee4511a9da5721843bd78f394be9008f71829cbc16e9f106dadd5f5615faf1b9c2

Download Submit